pyftpdlib
pyftpdlib copied to clipboard
All masquerade address tests fail with AssertionError: '127.0.0.1' != … with Python >= 3.9.3
Hi, I'm pretty sure the cause of this is:
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
This fix was applied to:
- 3.6.14
- 3.7.11
- 3.8.9
- 3.9.3
It causes the following failures with Python 3.9.3 (no problem with 3.9.2):
FAILED pyftpdlib/test/test_functional.py::TestConfigurableOptions::test_masquerade_address - AssertionError: '127.0.0.1' != '256.256.256.256'
FAILED pyftpdlib/test/test_functional.py::TestConfigurableOptions::test_masquerade_address_map - AssertionError: '127.0.0.1' != '128.128.128.128'
FAILED pyftpdlib/test/test_functional_ssl.py::TestConfigurableOptions::test_masquerade_address - AssertionError: '127.0.0.1' != '256.256.256.256'
FAILED pyftpdlib/test/test_functional_ssl.py::TestConfigurableOptions::test_masquerade_address_map - AssertionError: '127.0.0.1' != '128.128.128.128'
FAILED pyftpdlib/test/test_functional_ssl.py::TestConfigurableOptionsTLSMixin::test_masquerade_address - AssertionError: '127.0.0.1' != '256.256.256.256'
FAILED pyftpdlib/test/test_functional_ssl.py::TestConfigurableOptionsTLSMixin::test_masquerade_address_map - AssertionError: '127.0.0.1' != '128.128.128.128'
Here's the exact error from the first one:
_________________________________________________________________________________ TestConfigurableOptions.test_masquerade_address _________________________________________________________________________________
self = <pyftpdlib.test.test_functional.TestConfigurableOptions testMethod=test_masquerade_address>
def test_masquerade_address(self):
# Test FTPHandler.masquerade_address attribute
self.server = self.server_class()
self.server.handler.masquerade_address = "256.256.256.256"
self.server.start()
self.connect()
host, port = self.client.makepasv()
> self.assertEqual(host, "256.256.256.256")
E AssertionError: '127.0.0.1' != '256.256.256.256'
E - 127.0.0.1
E + 256.256.256.256
Reproduced with Python 3.9.9 on GNU Guix.